On Fri, Apr 13, 2012 at 9:53 PM, Éric Araujo <eric at netwok.org> wrote: > bugs.python.org already sanitizes the ok_message and Ezio already posted a > patch to the upstream bug tracker, so I don’t see what else we could do. I am +1 with Glyph that XSS protection in Roundup is an unreliable hack. Ezio's patch just prolongs the agony - it doesn't make it better. Code becomes less maintainable. There are two solutions to that: 1. Use specialized library such as http://pypi.python.org/pypi/MarkupSafe/ - benefits - easier maintenance, to get future fixes without waiting until somebody will have the time to test attacks on Roundup 2. Quote all HTML on server side and use alternative (wiki) markup for message decorations 3. Do not allow HTML content to be injected through the URL > Also note that the Firefox extension NoScript blocks the XSS in this case. NoScripts blocks everything, doesn't it?
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4